Identity & Access Management (IAM)
Summary: Identity & Access Management (IAM) is the collection of policies, processes, technologies, and controls used to manage digital identities and regulate access to systems, applications, data, and services. Effective IAM ensures that the right people have the right access to the right resources at the right time, while reducing security risks and supporting compliance requirements.
Context
Modern organisations depend upon hundreds, sometimes thousands, of interconnected systems. Employees, contractors, customers, partners, applications, services, and devices all require some form of digital identity.
Without a structured approach to managing identities and access permissions, organisations quickly face security challenges, operational inefficiencies, and compliance risks.
IAM provides a framework for:
- Identifying users and systems
- Authenticating identities
- Authorising access
- Managing permissions
- Auditing activity
- Enforcing security policies
While IAM is often associated with user logins, it extends far beyond authentication and forms a critical component of modern cybersecurity architecture.
Common Misconceptions
- IAM is not simply Active Directory.
- IAM is not just password management.
- IAM is not solely a security concern.
- IAM is both a business process and a technical implementation.
Many access-related incidents result from poor governance rather than technical failures.
Core Concepts
Identity
An identity represents a person, service, application, device, or process within a system.
Examples include:
- Employee accounts
- Service accounts
- Application identities
- Customer identities
- Managed devices
An identity should uniquely represent a single entity.
Authentication
Authentication answers the question:
"Who are you?"
Common authentication methods include:
- Username and password
- Multi-Factor Authentication (MFA)
- Smart cards
- Certificates
- Biometrics
- Security keys
Authentication establishes confidence in an identity claim.
Authorisation
Authorisation answers the question:
"What are you allowed to do?"
After authentication succeeds, systems evaluate permissions, roles, policies, and access rules before granting access to resources.
Examples include:
- Read access
- Modify access
- Administrative privileges
- Application-specific permissions
Accounting and Auditing
Authentication and authorisation are only part of the picture.
Organisations must also record:
- Login activity
- Permission changes
- Administrative actions
- Resource access events
These records support security investigations, compliance audits, and operational troubleshooting.
Identity Lifecycle Management
IAM is fundamentally about managing identities throughout their lifecycle.
Joiner
When a new employee joins:
- Identity is created
- Accounts are provisioned
- Access is assigned
- Security policies are applied
Mover
When responsibilities change:
- Permissions are reviewed
- New roles are assigned
- Old permissions are removed
Leaver
When an individual leaves:
- Accounts are disabled
- Authentication methods are revoked
- Access permissions are removed
- Audit records are retained
Failure to properly manage the Joiner-Mover-Leaver process is one of the most common causes of excessive permissions and unauthorised access.
Access Control Models
Role Based Access Control (RBAC)
Users are assigned roles.
Example:
- Helpdesk Operator
- HR Manager
- Finance Administrator
Permissions are granted to roles rather than individual users.
Benefits include:
- Simplified administration
- Consistency
- Easier auditing
Attribute Based Access Control (ABAC)
Access decisions are based upon attributes.
Examples:
- Department
- Location
- Device compliance state
- Time of day
- Security clearance
ABAC enables highly flexible policy-driven access decisions.
Policy-Based Access Control
Modern cloud platforms frequently use policy engines to evaluate access requests dynamically.
Examples include:
- Conditional Access
- Zero Trust Policies
- Risk-Based Access Controls
Authentication Technologies
Multi-Factor Authentication (MFA)
MFA combines multiple forms of verification.
Typical factors include:
- Something you know (password)
- Something you have (token)
- Something you are (biometric)
Compromised credentials remain one of the most common attack vectors, making MFA a foundational security control.
Single Sign-On (SSO)
SSO allows users to authenticate once and access multiple systems.
Benefits include:
- Improved user experience
- Reduced password fatigue
- Centralised security control
Federation
Federation enables organisations to trust external identity providers.
Examples include:
- Microsoft Entra ID
- Active Directory Federation Services (ADFS)
- OAuth Providers
- OpenID Connect Providers
Users authenticate with their home identity provider rather than maintaining separate credentials in every application.
Practical Application
A typical modern enterprise IAM platform may provide:
- Directory services
- Single Sign-On
- Multi-Factor Authentication
- Self-Service Password Reset
- Conditional Access
- Identity Governance
- Privileged Access Management
- Audit Reporting
A common architecture might look like:
+------------------+
| Identity Source |
| HR System |
+---------+--------+
|
v
+------------------+
| IAM Platform |
| Identity Store |
+---------+--------+
|
+-------------------+-------------------+
| | |
v v v
+-------------+ +-------------+ +-------------+
| Microsoft | | SaaS Apps | | On-Premise |
| 365 | | CRM, ERP | | Systems |
+-------------+ +-------------+ +-------------+
Identity Governance
Identity Governance focuses on ensuring access remains appropriate over time.
Typical controls include:
- Access reviews
- Segregation of duties
- Approval workflows
- Periodic recertification
- Exception management
Governance prevents permission accumulation and reduces insider risk.
Privileged Access Management (PAM)
Administrative accounts represent high-value targets.
PAM solutions help organisations:
- Separate administrative and user accounts
- Implement just-in-time access
- Record privileged sessions
- Protect sensitive credentials
- Reduce standing privilege
Modern security strategies increasingly assume that privileged access should be temporary rather than permanent.
Common Pitfalls
Permission Creep
Users gradually accumulate permissions over time.
This often occurs when role changes are not accompanied by access reviews.
Shared accounts reduce accountability and complicate auditing.
Where possible, every action should be traceable to a unique identity.
Service Account Neglect
Service accounts frequently:
- Use static passwords
- Avoid MFA
- Remain undocumented
These accounts often become overlooked security risks.
Excessive Administrator Access
Granting broad administrative permissions for convenience frequently increases the impact of compromise.
Design & Architecture Considerations
When designing an IAM solution, consider:
Scalability
Can the solution support organisational growth?
Security
Does it support:
- MFA
- Conditional Access
- Strong authentication
- Risk-based controls
Maintainability
Can administrators easily:
- Onboard users
- Remove access
- Audit permissions
- Automate processes
Integration
Can identities be integrated across:
- Cloud platforms
- On-premise systems
- Third-party applications
- APIs and services
Troubleshooting & Diagnostics
When access issues occur, investigate:
Identity Issues
- Does the account exist?
- Is it enabled?
- Is it synchronised correctly?
Authentication Issues
- Password problems
- MFA failures
- Certificate errors
- Token expiration
Authorisation Issues
- Missing role assignments
- Group membership problems
- Conditional access restrictions
- Policy conflicts
Audit Logs
Review:
- Authentication logs
- Access logs
- Security alerts
- Provisioning events
Audit trails often reveal the root cause faster than troubleshooting individual systems.
Design Philosophy
Strong IAM systems should follow a simple principle:
Trust identities only after verification, grant access only when required, and continuously validate that access remains appropriate.
This philosophy aligns closely with modern Zero Trust security models, where no user, device, application, or network location is automatically trusted.
Related Topics
- Authentication
- Authorisation
- Active Directory
- Microsoft Entra ID
- Multi-Factor Authentication
- Single Sign-On
- Conditional Access
- Privileged Access Management
- Zero Trust Architecture
References
- NIST Digital Identity Guidelines
- NIST Zero Trust Architecture
- Microsoft Entra Documentation
- OAuth 2.0 Specifications
- OpenID Connect Specifications
- ISO 27001
- CIS Controls